On January 23, 2019, the European Commission (“EC”) adopted its adequacy decision on Japan. Japan issued an equivalent decision regarding data transfers from Japan to the European Union on the same day. This means that companies may now freely transfer personal data from the EU to Japan and the other way around. This is the first EC’s adequacy decision since May 25, 2018, the day when the EU General Data Protection Regulation (“GDPR”) had full legal effects.
Background
Transfers of Personal Data Under the GDPR. Under the GDPR, companies may only transfer personal data outside the EU if the EC has decided that the recipient country offers an “adequate level of protection” of personal data (“adequacy decision”), or if they have implemented appropriate safeguards through specific instruments, such as standard contractual clauses approved by the EC or binding corporate rules. In this light, adequacy decisions are always welcome as they make personal data transfers much easier and less cumbersome.
Political Context. The adequacy decision on Japan complements the EU-Japan Economic Partnership Agreement, which will enter into force on February 1, 2019. Because this economic partnership agreement was a major objective of the EC, and because easier data flows play a key role in promoting free trade, the adoption of the adequacy decision was backed by a strong political will.
Timeline. The adequacy discussions started in January 2017 and were successfully concluded, on principle, a year later. The EC published its draft adequacy decision in September 2018, and the European Data Protection Board (“EDPB”), which is composed of all European national data protection authorities, published its opinion in December 2018. It therefore took the EC two years to issue its adequacy decision. Officials reported that reaching the agreement has taken more than 80 rounds of negotiations played out over 300 hours since April 2016.
The Japanese Data Protection Framework
The 2003 Japan’s Act on the Protection of Personal Information (“APPI”), which entered into force in 2005, has been amended in 2015. The amended APPI came into force in May 2017 and brought the Japanese data protection framework closer to the EU framework. In particular, the amended APPI created the Personal Information Protection Commission (“PPC”), a central and independent authority replacing the sectorial competence that previously depended from various Japanese ministries. The new APPI also introduced new rules restricting companies from transferring personal data outside Japan unless they have implemented appropriate safeguards, or the recipient country offers appropriate protection of personal data.
Filling the Gaps Between the GDPR And the APPI
Despite the 2015 APPI amendments, there were still some gaps between the EU and the Japanese data protection framework. The EC and the PPC made efforts to fill these gaps through the adoption of additional rules (the “Supplementary Rules”) by the PPC. These rules only apply to personal data transferred from the EU to Japan.
For example, the Supplementary Rules ensure that individuals’ data protection rights will apply to all personal data transferred from the EU to Japan, irrespective of their retention period. This is the case in the EU, but not in Japan, where such rights do not apply to personal data that are set to be deleted within a period of six months. Other examples include the conditions under which EU data can be further transferred from Japan to another third country, and the fact that the PPC agreed to treat further categories of data as sensitive data (sensitive data under the APPI do not include sexual orientation nor trade union membership).
End of Story?
Although the adoption of the adequacy decision on Japan is great news for companies transferring personal data from the EU to Japan, this is not the end of the story yet.
First, the EC and the PPC will jointly assess the functioning of the adequacy decision in two years. They will subsequently review the decision at least every four years. The EC may decide to withdraw the adequacy decision in case of developments affecting the level of protection in Japan.
Second, the EDPB identified national security as a key issue. Japan has indicated that personal data may only be obtained from freely accessible sources or through voluntary disclosure by companies, and that it does not collect information on the general public. However, the EDPB noted that it is aware of concerns expressed by experts and in the media and it listed a number of issues to follow-up in this respect, notably on the voluntary disclosure mechanism. For this reason, EDPB representatives will participate in the review of the adequacy decision regarding access to data for law enforcement and national security purposes. The Court of Justice of the EU (“CJEU”) already struck down the EC’s decision that enabled personal data transfers from the EU to the U.S. (the “Safe Harbor”) because of concerns relating to national security agencies’ processing operations following Snowden’s allegations. Also, there is already a pending case (C-623/17) before the CJEU regarding the Privacy Shield, which replaced the Safe Harbor, and a pending case (C-311/18) regarding the validity of the so-called “Standard Contractual Clauses”. Therefore, there is a risk that the CJEU could strike down the adequacy decision on Japan should it consider that it does not offer sufficient guarantees with respect to surveillance measures by Japanese governmental entities.
In this light, continuing to monitor legal developments regarding international transfers of personal data to recipients outside the EU will be necessary. Nevertheless these two adequacy decisions, which create the world’s largest area of safe data flows, are a major milestone.